CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. EXIN
  5. ISO/IEC 27001 Lead Auditor

Free ISO/IEC 27001 Lead Auditor Exam Braindumps (page: 21)

Page 20 of 41
PDF with 160 Questions

Scenario: Techmanic is a Belgian company founded in 1995 and currently operating in Brussels. It provides IT consultancy, software design, and hardware/software services, including deployment and maintenance. The company serves sectors like public services, finance, telecom, energy, healthcare, and education. As a customer-centered company, it prioritizes strong client relationships and leading security practices.

Techmanic has been ISO/IEC 27001 certified for a year and regards this certification with pride. During the certification audit, the auditor found some inconsistencies in its ISMS implementation. Since the observed situations did not affect the capability of its ISMS to achieve the intended results, Techmanic was certified after auditors followed up on the root cause analysis and corrective actions remotely. During that year, the company added hosting to its list of services and requested to expand its certification scope to include that area. The auditor in charge approved the request and notified Techmanic that the extension audit would be conducted during the surveillance audit.

Techmanic underwent a surveillance audit to verify its ISMS's continued effectiveness and compliance with ISO/IEC 27001. The surveillance audit aimed to ensure that Techmanic's security practices, including the recent addition of hosting services, aligned seamlessly with the rigorous requirements of the certification.

The auditor strategically utilized the findings from previous surveillance audit reports in the recertification activity with the purpose of replacing the need for additional recertification audits, specifically in the IT consultancy sector. Recognizing the value of continual improvement and learning from past assessments, Techmanic implemented a practice of reviewing previous surveillance audit reports. This proactive approach not only facilitated identifying and resolving potential nonconformities but also aimed to streamline the recertification process in the IT consultancy sector.

During the surveillance audit, several nonconformities were found. The ISMS continued to fulfill the ISO/IEC 27001's requirements, but Techmanic failed to resolve the nonconformities related to the hosting services, as reported by its internal auditor. In addition, the internal audit report had several inconsistencies, which questioned the independence of the internal auditor during the audit of hosting services. Based on this, the extension certification was not granted. As a result, Techmanic requested a transfer to another certification body. In the meantime, the company released a statement to its clients stating that the ISO/IEC 27001 certification covers the IT services, as well as the hosting services.

What action should be taken regarding Techmanic's certification? Refer to scenario.

  1. Suspend the certification because they used the certification out of its scope
  2. Withdraw the certification because they failed to resolve nonconformities related to the hosting services
  3. Transfer the certification because they were not granted the extension certification

Answer(s): B

Explanation:

According to the scenario, Techmanic was unable to resolve the nonconformities related to its hosting services during the surveillance audit, and the internal audit had several inconsistencies that raised concerns about the independence of the internal auditor. Because the extension certification was not granted and the nonconformities were not adequately addressed, the appropriate action would be to withdraw the certification until these issues are resolved. Continuing to claim certification for hosting services without addressing these nonconformities would be misleading and non-compliant with ISO/IEC 27001 standards.



Is the internal auditor responsible for following up on action plans resulting from external audits?

  1. No, the internal auditor should follow up on action plans submitted in response to nonconformities resulting only from internal audits
  2. Yes, only if minor nonconformities have been detected during the external audit
  3. Yes, the internal auditor should follow up on action plans submitted during internal and external audits

Answer(s): C

Explanation:

The internal auditor plays a crucial role in ensuring that corrective actions are taken and followed up on, whether they result from internal or external audits. The responsibility includes tracking the implementation of action plans for nonconformities identified in both internal and external audits to ensure that the corrective measures are effective and that the organization's management system remains compliant with ISO/IEC 27001 standards.



Which of the options below does an internal audit program NOT allow?

  1. Verification of the effectiveness of corrective actions
  2. The reduction of manual audit tasks
  3. The prevention of nonconformities

Answer(s): C

Explanation:

An internal audit program focuses on verifying compliance with standards, evaluating the effectiveness of corrective actions, and improving audit efficiency. However, it does not directly allow for the prevention of nonconformities. The prevention of nonconformities typically involves proactive risk management and continuous improvement processes outside of the audit itself. The internal audit can identify and assess nonconformities but cannot directly prevent them from occurring.



According to ISO/IEC 17021-1, what is the purpose of surveillance audits?

  1. To assess compliance and grant initial certification
  2. To evaluate the financial performance of the organization
  3. To maintain confidence in the certified management system between audits

Answer(s): C

Explanation:

Surveillance audits are conducted to ensure that the certified management system continues to conform to the relevant standards and remains effective in the period between the initial certification audit and the next full audit. These audits help maintain confidence in the system’s ongoing performance.






Post your Comments and Discuss EXIN ISO/IEC 27001 Lead Auditor exam with other Community members:

ISO/IEC 27001 Lead Auditor Discussions & Posts